Chronic Dev Blog

Issues Page on the Google Code Wiki
Please only use it for actual issues. If you have any ideas for a jailbreak or something, that is really not the place for it. I even disabled it because of this, but somehow people have managed to keep creating new tickets…

Mini Manifesto
It is kinda small now, but I will probably add more stuff to it. I have written up a mini manifesto, of sorts, related to the iPod Touch 2G. It can be found on The iPhone Wiki. It will not be making an appearance in the Google Code wiki because it is meant to be actively contributed to, but please note that is only if you know what you are talking about, I must stress that

In other news, break is over, time for work and school again. More importantly, time for me to slow down on hacking my new Apple TV and start working on iPod Touch 2G again. Yes, I take a vacation just like everyone else that is reading this blog

Please understand this. It is the cold hard truth. Just because I understand how something works does not mean that we have an exploit. Stuff in the wiki is just my notes that I have been taking and committing to the google code. When I post the annotated range check routine from iBoot, it does not mean that I can bypass it, it just means that I know how it works. Same goes for the flag check, it does not suddenly mean I can use ‘diags’ to run unsigned code. It is simply documenting things I did not know before, and hopefully anyone else that has been looking into this kind of thing. The code in the Google Code Wiki is not exploit code. It is annotated ARM machine code. Usually if I post the code there is an explanation of what it does on the page anyway. Are there enough people confused by it that I should take it down? Please let me know this in the comments.

Also, guys, please stop with the “fuck the dev team” comments / remarks. They are a very talented group, and the members of it are very nice. They are called the iPhone dev team because they work on the iPhone. Yes, it has the same OS as the iPod Touch, but the fact remains that they are two separate devices and if they do not feel the need to work on the iPod Touch 2G, well, that is their choice. I myself own an iPhone3G, I only have the iPod Touch 2G for testing purposes. I just pursued this as a fun project, and I can say right now that all of the hate going around is not really helping in that department.

If you do not understand the wiki, do not worry about checking it. Trust me, if there is some actual major progress made, you will see it on this blog. Again, the wiki is mostly my notes along with a few other things. In fact, you will probably hear progress on this blog before you hear it on the wiki, as (1) that is for technical stuff and (2) I am now updating it via svn so that I do not lose anything due to my web browser crashing, so it is only updated every few days.

Again, you may want to just keep your eyes on Gizmodo if you are checking every single day to see the post “iPod Touch 2G has been jailbroken!”, because if we can actually manage to pull it off, it will not be within the month or 2 months, and I think that word would spread if it happened However, if you are interested in the technical aspect of things, you are reversing iBoot yourself, and / or you want to know how these things work, then feel free to follow along on the Google Code Wiki

Happy holidays everyone!
-chronic

Note: this is not related to the 2G jailbreak

MuscleNerd, of the iPhone Dev Team, did a live demo of the 3G unlock today:

This was an awesome feat and I just wanted to say that the dev team did a great job on this. Personally, I do not need the unlock, but the fact that they managed to pull this off even with all of the baseband integrity checks in place amazes me, as it means (confirmed by MuscleNerd) that the check that says “Am I allowed to be used with this carrier?” is patched on-the-fly (in RAM) at every boot up. MuscleNerd has been working hard one this along with the rest of the dev team and I just would like to say congrats to them on getting this done.

Even more awesome, I have been told on IRC that during their CC C talk they will be talking about the more geeky / technical details of Pwnage2 along with the 3G unlock. You could consider this to be indirectly helping with the 2G jailbreak, in a way, because I have never been able to fully understand how they pulled off the Pwnage2 exploit to work so perfectly, and it just so happens that we need a bootrom exploit just like that for the iPod Touch 2G

A note about the Google Code page. I became incredibly frustrated when I had typed up a very long page on the boot sequence, only to (stupidly / accidently) click one of the bookmarks on my FireFox toolbar and have it all go away when I pressed the ‘back’ button. So from now on, you will not see small wiki edits every day, but rather more large wiki edits every few days, as I plan to edit the pages via text edit on my computer then commit them to the Google Code Page via svn.

PS: Happy holidays from all of us at chronicdev! I do plan to be doing a little bit of reversing during the break this week, but please understand that I have family to visit, and possibly a new gift to hax0r

PSS: westbaer talked to me today expressing interest in, if it is not already open-sourced, reversing yellowsn0w and creating an open-source implementation together for the fun of it. I liked the idea, so when it is released, for the first day in weeks I will close my bootrom.idb and open up yellowsn0w, in which we will take a crack at making an open implementation. This will not take time away from the 2G jailbreak, as it will probably happen some time next week during a day I designated to take a break from the 2G hax. Also note that yellowsn0w will probably be much more stable and everything, we just figured it would be a fun thing to do

I originally posted this on the Google Code page, which is a page for people more informed on the technical stuff, but I think I will post it here too so that everyone can someone be kept informed.

Introduction
On Februrary 27, 2008, the iPhone Dev Team demonstrated that they had the ability to load a custom recovery logo to the iPhone, bypassing signature checks. Then, two days later, they demonstrated that they could restore to a custom IPSW file. After that, they published some information on how the “Pwnage” exploit works. then finally, a full presentation of the tool.

It was an amazing exploit, so low level that it could not be fixed as it was in the hardware. The “Pwnage” exploit relied on the fact that bootrom does not signature check LLB, breaking the chain of trust, because that would mean that you could patch the LLB signature check so that it would accept a patched iBoot, and that iBoot will accept a patched kernel, and so on. Or, the exploit in their words: “Pwnage exploits a bad chain of trust in the boot sequence of the S5L8900 device. The boot sequence includes LLB and iBoot modules which are stored in device NOR flash and are typically encrypted (as of 1.1.x). However, they are not signed with RSA signature at that point, because the 8900 container is dropped away before the file is written to NOR flash. Pwnage exploits this vulnerability”. Now, you still had to find a way to write to the NOR unsigned, but once that was done, you were golden.

Now, this applied to the iPhone, the iPod Touch, and even the iPhone 3G. But, the iPod Touch 2G is a different story.

What is the difference?
The iPod Touch 2G has WTF 2.0, or what we dubbed as “DFU 2.0″, burned into the bootrom. It can no longer understand IMG2 files, so no sending old files and using old exploits, or using the 8900 parsing bug. Now, it can understand IMG3 files. Here is the kicker: IMG3 files are written to NOR the way they are right now, as in, with the container and everything. This means that the bootrom exploit that allowed Pwnage v1.0 and Pwnage v2.0 to work is gone, because now the bootrom will signature check LLB and refuse to boot it if it is patched. If the LLB is not patched, then it will definitely not boot a patched iBoot, and if iBoot is patched, it will definitely not boot a patched kernel, and if the kernel is not patched, then it will definitely not boot any unsigned Applications such as Cydia or Installer because of codesign checks.

Even if we are somehow able to decrypt the firmware files and patch them, then re-encrypt them, it is still no good. The bootrom will be able to now see, “oh, this LLB is patched, I refuse to boot it!”, and then the device just goes straight to DFU mode.

Oh no! I can’t haz jailbreak?!
Well, a jailbreak is still possible, The boot sequence’s chain of trust is much tighter now, or rather, it is what it probably should have been in the first place. Anyway, even though the bootrom signature checks LLB, and there is no way around that, there may be some kind of bug in the signature checking routine, as with the 8900 routine. Another possibility that would probably not last long is a muchmuch higher level exploit, one in the kernel, that would allow the codesign mechanism to be tricked into running homebrew code.

Basically now, we may need two exploits, depending on what direction is taken. You can almost say we are ‘back to square one’ when you think about the stance of what we know compared to the other devices, because, we cannot decrypt the new firmware kbags, we cannot Pwn with the classic meaning of it anymore, it is a new processor. iRecovery is a great start because we can freely experiment by having the ability to upload files and communicate with iBoot.

Now, instead of just needing an exploit to get patched files into the NOR, we will need either 2 exploits, or one really good one. The two would be one that allows unsigned code to run, so we can strap a patched iBoot and decrypt and patch firmware files, then run a ramdisk to flash it to NOR, then another exploit that will allow a patched LLB to pass the signature check from the bootrom. Fortunately, the beforementioned two, if found, will probably be able to be combined into ‘one really good exploit’, because if it is in the parsing code like the Pwnage2 stack overflow was, then it can be used to pass a patched iBoot so we can Pwn, and so that DFU will pass a patched LLB as authentic. It is going to be a much bigger challenge than anticipated, but I am up for it

In essence, this could be thought of as kind of a step forward, because we now know what needs to be done, versus finding out later down the road that an iBoot exploit to just run unsigned code is only the beginning.

Many comments have been begging for an update, but to be honest, there is nothing really to update everyone on. If you actually understand the more technical things, then you can check out the various (previously undocumented) things that I am documenting about the bootloader and bootrom here.

Some rumors have been flying around about a “beta jailbreak”. This is simply not true, to be blunt. This seems to have started when some people impersonating chronicdev made a tumblr blog which had a theme ripping off the devteam blog theme (with I would never do no matter how awesome that theme was ) and claimed that “we” had found a jailbreak. What was the method, you ask? Did they make it somewhat believeable by saying they found a flaw in the NOR flashing code that allowed freely flashing to the NOR by doing some trickery to the images to make it think that they are diagnostic bootloaders? I could believe that, but no, they did not. They opted to say “i just dragged cydia to itunes and it worked omg!”, and then contradicted themselves by saying it was being worked on. If it was as simple as dragging Cydia into iTunes, then why would the jailbreak need to be worked on. Let alone the fact that MISValidateSignature(); would say “nowai”, the kernel would not run it because the code is not signed by Apple. They did do one smart thing though: They took the blog down and posted an apology message before I woke up that morning.

http://www.youtube.com/watch?v=Ix5gEKly6fQ

Chronic Dev says: stay away

there are all kinds of hoax videos like this, and many people have scoped them out to see if they are real. none have shown to be real, and apparently some install trojan horses. if there was a real jailbreak, trust me, i will post about it. although i am working on it, i am not doing it for fame, i am doing it to get this damn thing jailbroken. i would be all over any kind of real, true, jailbreak, i would not try to hold back from you guys. even if you don’t believe me, please, just be careful of the things you download. that is the golden rule of the internet, and some people tend to ignore it when they find something that they are really excited about.

people are freaking out and sending me emails asking if there is progress, why am i not posting, etc etc. chill, this kind of thing is harder than you think. its not like we go around trying to crash safari then say we have a jailbreak, like many people are thinking. that is not how it works. even if that was all there was to it in 2.*, there is still the case of actually exploiting it, writing shellcode, bypassing the fact that the stack in arm is nx, etc etc.

sit down, play some xbox, crack open a cold one, but whatever you do, just calm down. i don’t wnat to lie and say the jailbreak will not be coming for a long time, because i do not know that myself. but for the sake of your sanity, try to convince yourself that, so you are not checking my blog every hour yes, i am talking to the people who i see checking my blog 20+ times a day in additional to the feedburner pings i get from their RSS feeder -_-

keep an eye on http://chronicdev.googlecode.com/

you can grab 3G-2.2-Pwnage.zip from here, instructions are in the description if you don’t know what to do with the bundles:
http://code.google.com/p/chronicdev/downloads/list

UPDATE - Wiki page + iPhone 2G Pwnage

that is something I made for myself to use the other day, which you saw screenshots of. I would have released sooner, but I had a beta copy of the 2.2 Cydia, not the final one yet. It is for use in PwnageTool, but may work in QuickPwn too, I don’t know.

Please note that I am on AT&T, and did not make an activation patch either. Also, the included MobileInstallation patch seems to have gotten screwed up.

This is just for people wanting to mess around early. It is by no means an early, clean, release. Just for iPhone 3G users on AT&T that want to jailbreak 2.2 early. Beta copies of the bundle have circulated on IRC last night it seems, so if you have a zip by the same name then that’s what it is. The only reason that I have not fixed my MobileInstallation patch and lockdownd patch is because (a) this was just for my own use until many people started asking me about it, and (b) devteam will probably have a release very soon, as they need to be sure it is totally safe before releasing something. For 3G users not on AT&T, they will also obviously have a lockdownd/activation patch too, so you don’t have to worry about that. If, for some reason, there is a strong delay in the devteam release, I will make an activation patch as well as fix the MobileInstallation patch, but it would stil be considered beta, as only PwnageTool from devteam is one that has been fully tested.

NOTE: The MobileInstallation patch is not to be used for warez. It is provided as an easier means of loading homebrew onto your iPhone, such as taking the MxTube application and making an IPA of it, so that you do not have to re-install it every time you restore, as iTunes will sync it for you with MobileInstallation patched. DO NOT USE IT FOR WAREZ.

NOTE 2: Please wait for SBSettings to be fixed before you install it, as it is having some problems on 2.2 according to some people on IRC.

The bug we used last time is still working

http://pastie.org/321028

Courtesy of wEsTbAeR– and Cpich3G:
dc39d88afe4cbd8a3f36824b8fd68acf04ac72718c09100816c5cb89889b8079e96802f0

This will decrypt the rootfs DMG for the iPhone, iPhone 3G, and iPod Touch 1G, but probably not the iPod Touch 2G, as Apple knew that if they made that the same build number than we could decrypt it, so they had Forstall just go “meh” and press the ‘a’ key

Still no major updates on iPod Touch 2G jailbreak front, but you can see some research that we have posted if you check out http://chronicdev.googlecode.com/ and click on “wiki”.